Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

i've made a fresh setup of Splunk 6.1 and Windows infrasstructure app.I followed row by row the setup guide of the app and the forwarders. I've a windows 2008 domain with two domain controllers but in the app configuration it doesn't detect any data about USers Login/logoff , groups and domain controllers.However detects the Domain, DNS, and the events from domain controllers.The ldap.conf file is structured as follow:

[default]

server=192.168.x.x (primary controller IP)

[intranet.mydomain.com]

server = PRIDC.intranet.mydomain.com

//# port = 636

//# ssl = true

basedn = DC=intranet,DC=mydomain,DC=com

binddn = CN=Splunk,CN=Users,DC=intranet,DC=mydomain,DC=com

password = xxxxxxxxxxxxx

alternatedomain = INTRANET

If we search using the standard search of Splunk we find all the events needed expecially the security events Login/Logoff with usernaem and Computers associated but the windows infr app seems that cannot retrieve these events to build the Users/Groups Views.Also the SA-Ldap search does all the searches very well.

Universal forwarders have been configured following the instructions in the User Manual of Windows Infr App.Here the list of modules on forwarders in Windows DCs:Splunk_TA_windowsTA-DNSServer-NT6TA-DomainController-NT6SA-ModularInput-PowerShell(script execution tested and ok)And the list of modules on Splunk Server:Windows Infrastr AppSA-ldapsearch

How can i resolve these issues? What is a configuration that enables the build of lookup tables about Users and Groups?